"TypeInitializationException" received while generating token

[pheeca]

Which version of Duende IdentityServer are you using?
5.2.0

Which version of .NET are you using?
9.0

Other relevant libraries?
Microsoft.AspNetCore.Api 6.0.3
AutoMapper 10.0.0

Duende IdentityServer 5.2.0 is deprecated, why are you not using latest version?
Latest Duende IdentityServer works with latest Microsoft.AspNetCore.ApiAuthorization.IdentityServer (v7), which have a bug dotnet/aspnetcore#57310
Therefore using v7 is not possible

Describe the bug:
When creating token, exception is generated. Register is working fine. Tried it with minimal web api and entityframework without jwt or mvc. using/inheriting from default dbcontext(for ef migration) without any custom change.

Here is the exception received on url configured https://localhost:7261/connect/token

System.TypeInitializationException: The type initializer for 'Duende.IdentityServer.EntityFramework.Mappers.ClientMappers' threw an exception.
 ---> System.ArgumentException: GenericArguments[0], 'System.Char', on 'T MaxFloat[T](System.Collections.Generic.IEnumerable`1[T])' violates the constraint of type 'T'.
 ---> System.Security.VerificationException: Method System.Linq.Enumerable.MaxFloat: type argument 'System.Char' violates the constraint of type parameter 'T'.
   at System.RuntimeMethodHandle.GetStubIfNeeded(RuntimeMethodHandleInternal method, RuntimeType declaringType, RuntimeType[] methodInstantiation)
   at System.Reflection.RuntimeMethodInfo.MakeGenericMethod(Type[] methodInstantiation)
   --- End of inner exception stack trace ---
   at System.RuntimeType.ValidateGenericArguments(MemberInfo definition, RuntimeType[] genericArguments, Exception e)
   at System.Reflection.RuntimeMethodInfo.MakeGenericMethod(Type[] methodInstantiation)
   at AutoMapper.TypeDetails.<>c__DisplayClass30_1.<BuildPublicNoArgExtensionMethods>b__10(MethodInfo extensionMethod)
   at System.Linq.Enumerable.ArrayWhereSelectIterator`2.MoveNext()
   at System.Linq.Enumerable.ConcatIterator`1.MoveNext()
   at System.Linq.Enumerable.SelectManyIterator[TSource,TCollection,TResult](IEnumerable`1 source, Func`2 collectionSelector, Func`3 resultSelector)+MoveNext()
   at System.Linq.Enumerable.IEnumerableWhereSelectIterator`2.MoveNext()
   at System.Collections.Generic.HashSet`1.UnionWith(IEnumerable`1 other)
   at System.Linq.Enumerable.UnionIterator`1.FillSet()
   at System.Linq.Enumerable.UnionIterator`1.ToArray()
   at AutoMapper.TypeDetails.BuildPublicNoArgExtensionMethods(IEnumerable`1 sourceExtensionMethodSearch)
   at AutoMapper.TypeDetails..ctor(Type type, ProfileMap config)
   at AutoMapper.ProfileMap.TypeDetailsFactory(Type type)
   at AutoMapper.Internal.LockingConcurrentDictionary`2.<>c__DisplayClass2_1.<.ctor>b__1()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at AutoMapper.Internal.LockingConcurrentDictionary`2.GetOrAdd(TKey key)
   at AutoMapper.ProfileMap.CreateTypeDetails(Type type)
   at AutoMapper.TypeMapFactory.CreateTypeMap(Type sourceType, Type destinationType, ProfileMap options, Boolean isReverseMap)
   at AutoMapper.ProfileMap.BuildTypeMap(IConfigurationProvider configurationProvider, ITypeMapConfiguration config)
   at AutoMapper.ProfileMap.Register(IConfigurationProvider configurationProvider)
   at AutoMapper.MapperConfiguration.Seal()
   at AutoMapper.MapperConfiguration..ctor(MapperConfigurationExpression configurationExpression)
   at AutoMapper.MapperConfiguration..ctor(Action`1 configure)
   at Duende.IdentityServer.EntityFramework.Mappers.ClientMappers..cctor() in /_/src/EntityFramework.Storage/Mappers/ClientMappers.cs:line 16
   --- End of inner exception stack trace ---
   at Duende.IdentityServer.EntityFramework.Mappers.ClientMappers.ToModel(Client entity) in /_/src/EntityFramework.Storage/Mappers/ClientMappers.cs:line 29
   at Duende.IdentityServer.EntityFramework.Stores.ClientStore.FindClientByIdAsync(String clientId) in /_/src/EntityFramework.Storage/Stores/ClientStore.cs:line 70
   at Duende.IdentityServer.Stores.ValidatingClientStore`1.FindClientByIdAsync(String clientId) in /_/src/IdentityServer/Stores/ValidatingClientStore.cs:line 52
   at Duende.IdentityServer.Stores.IClientStoreExtensions.FindEnabledClientByIdAsync(IClientStore store, String clientId) in /_/src/IdentityServer/Extensions/IClientStoreExtensions.cs:line 23
   at Duende.IdentityServer.Validation.ClientSecretValidator.ValidateAsync(HttpContext context) in /_/src/IdentityServer/Validation/Default/ClientSecretValidator.cs:line 67
   at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 78
   at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 70
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IIssuerNameService issuerNameService, IBackChannelLogoutService backChannelLogoutService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 84
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IIssuerNameService issuerNameService, IBackChannelLogoutService backChannelLogoutService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 99
   at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 94
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 31
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

HEADERS
=======
Accept: */*
Connection: keep-alive
Host: localhost:7261
User-Agent: PostmanRuntime/7.45.0
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
X-API-Key: {{token}}
Postman-Token: 0caf68a7-2762-4c71-b95b-4461be2c16b6

Relevant code
program.cs

using Microsoft.AspNetCore.Identity.UI.Services;
using P2P.Core.Interfaces;
using P2P.Infrastructure.Configurations;
using P2P.Infrastructure.Services;
using P2P.Website.Attributes;
using Serilog;
using Serilog.Context;
using Serilog.Sinks.MSSqlServer;
using Microsoft.AspNetCore.Mvc.NewtonsoftJson;
using Microsoft.AspNetCore.Identity;
using P2P.Core.Entities.ERP;

var builder = WebApplication.CreateBuilder(args);

builder.Host.ConfigureAppConfiguration(x => x.AddJsonFile("connection.json"+ (builder.Environment.IsDevelopment()?".debug":"")));
builder.Host.ConfigureAppConfiguration(x => x.AddJsonFile("serilogsettings.json"));

// Add services to the container.
P2P.Infrastructure.Dependencies.ConfigureServices(builder.Configuration, builder.Services);
await P2P.Infrastructure.Dependencies.MigrateDatabasesAsync(builder.Services);

builder.Services.AddPolicies(builder.Services.BuildServiceProvider());

builder.Services.AddDatabaseDeveloperPageExceptionFilter();


//Dependency Injection
builder.Services.AddTransient<IEmailSender, EmailSender>();
builder.Services.AddTransient<ISmsSender, SMSSender>();

//Configure AutoMapper
builder.Services.AddSingleton<IEntityMapper, EntityMapper>();

//Configure Logging
var logger = new LoggerConfiguration()
    .CreateBootstrapLogger();
builder.Host.UseSerilog((ctx, lc) => lc
        .ReadFrom.Configuration(ctx.Configuration)
);



builder.Services.AddControllers().AddNewtonsoftJson(options =>
        options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
    );
// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
builder.Services.AddOpenApi();

builder.Services.AddAuthentication("Bearer")
    .AddOAuth2Introspection("Bearer", options =>
    {
        options.Authority = "https://localhost:7261";
        options.ClientId = "api1";
        options.ClientSecret = "secret";
    });

var app = builder.Build();
app.UseIdentityServer();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.MapOpenApi();
    app.UseMigrationsEndPoint();
}
else
{
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseIdentityServer();
app.UseAuthentication();

app.UseAuthorization();


app.UseSerilogRequestLogging();

app.MapControllers();

app.MapPost("/Account/Register", async (
    [Microsoft.AspNetCore.Mvc.FromBody] Microsoft.AspNetCore.Identity.UI.V5.Pages.Account.Internal.RegisterModel.InputModel model,
    UserManager<ApplicationUser> userManager) =>
{
    var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
    var result = await userManager.CreateAsync(user, model.Password);

    return result.Succeeded
        ? Results.Ok("Registration successful")
        : Results.BadRequest(result.Errors);
});

app.Run();

Dependencies.cs

using Duende.IdentityServer.EntityFramework.Entities;
using Duende.IdentityServer.Models;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using P2P.Core.Entities.ERP;
using P2P.Infrastructure.ERP;

namespace P2P.Infrastructure
{
    public static class Dependencies
    {
        public static void ConfigureServices(IConfiguration configuration, IServiceCollection services)
        {
            var useOnlyInMemoryDatabase = false;
            if (configuration["UseOnlyInMemoryDatabase"] != null)
            {
                useOnlyInMemoryDatabase = bool.Parse(configuration["UseOnlyInMemoryDatabase"]);
            }

            if (useOnlyInMemoryDatabase)
            {

                services.AddDbContext<ApplicationDbContext>(options =>
                    options.UseInMemoryDatabase("Identity"));
            }
            else
            {
               

                var connectionString = configuration.GetConnectionString("IdentityConnection") ?? throw new InvalidOperationException("Connection string 'IdentityConnection' not found.");
                services.AddDbContext<ApplicationDbContext>(options =>
                    options.UseSqlServer(connectionString));
                services.AddDbContext<ConfigurationDbContext>(options =>
                    options.UseSqlServer(connectionString));

                services.AddDefaultIdentity<ApplicationUser>(options =>
                {
                    options.SignIn.RequireConfirmedAccount = true;
                    options.User.RequireUniqueEmail = true;
                    options.Password.RequireDigit = true;
                    options.Password.RequiredLength = 8;
                })
                    .AddRoles<IdentityRole>()
                    .AddEntityFrameworkStores<ApplicationDbContext>();

                services.AddIdentityServer()
                    .AddAspNetIdentity<ApplicationUser>()
                    .AddConfigurationStore(options =>
                                   options.ConfigureDbContext = b =>
                                        b.UseSqlServer(connectionString))
                    .AddOperationalStore(options =>
                                    options.ConfigureDbContext = b =>
                                        b.UseSqlServer(connectionString))
                    .AddDeveloperSigningCredential();
            }
        }

        private static async Task<bool> IsDatabaseEmpty(IServiceProvider serviceProvider)
        {
            using var scope = serviceProvider.CreateScope();
            var context = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();

            try
            {
                // Check if database exists and has any tables
                var conn = context.Database.GetDbConnection();
                await conn.OpenAsync();

                using var command = conn.CreateCommand();
                command.CommandText = @"
                    SELECT COUNT(*) 
                    FROM INFORMATION_SCHEMA.TABLES 
                    WHERE TABLE_TYPE = 'BASE TABLE' and TABLE_NAME not like '%Log%' and TABLE_NAME not like '%__EFMigrationsHistory%'";

                var result = (int)await command.ExecuteScalarAsync();
                return result == 0; // Database is empty if no tables exist
            }
            catch
            {
                return true; // Consider empty if connection fails
            }
        }


        public static async Task MigrateDatabasesAsync(IServiceCollection services)
        {
            using var serviceProvider = services.BuildServiceProvider();
            var config = serviceProvider.GetRequiredService<IConfiguration>();
            if (!await IsDatabaseEmpty(serviceProvider))
            {
                return;
            }

            // Migrate Identity DbContext
            using (var scope = serviceProvider.CreateScope())
            {
                var context = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
                await context.Database.MigrateAsync();
            }

            // Migrate IdentityServer Configuration DbContext
            using (var scope = serviceProvider.CreateScope())
            {
                var context = scope.ServiceProvider.GetRequiredService<ConfigurationDbContext>();
                await context.Database.MigrateAsync();
                await SeedConfigurationData(context);
            }

        }
        private static async Task SeedConfigurationData(ConfigurationDbContext context)
        {
            if (!await context.Clients.AnyAsync())
            {
                // Create client entity manually
                var clientEntity = new Duende.IdentityServer.EntityFramework.Entities.Client
                {
                    ClientId = "react",
                    ClientName = "React Client",
                    ProtocolType = "oidc",
                    RequireClientSecret = true,
                    AllowedGrantTypes = new List<ClientGrantType>
            {
                new ClientGrantType { GrantType = "password" }
            },
                    ClientSecrets = new List<ClientSecret>
            {
                new ClientSecret
                {
                    Value = "secret".Sha256(),
                    Type = "SharedSecret",
                    Description = "Client secret"
                }
            },
                    AllowedScopes = new List<ClientScope>
            {
                new ClientScope { Scope = "openid" },
                new ClientScope { Scope = "profile" },
                new ClientScope { Scope = "api1" }
            },
                    AllowOfflineAccess = false,
                    AccessTokenType = 1, 
                    RequireConsent = false,
                    AlwaysIncludeUserClaimsInIdToken = true,
                    Enabled = true,
                    RequirePkce = false,
                    RefreshTokenUsage = 0, // ReUse
                    RefreshTokenExpiration = 1, // Absolute
                    AbsoluteRefreshTokenLifetime = 2592000, // 30 days
                    AccessTokenLifetime = 3600, // 1 hour
                    IdentityTokenLifetime = 300,
                    AuthorizationCodeLifetime = 300,
                    SlidingRefreshTokenLifetime = 1296000
                };

                context.Clients.Add(clientEntity);
                context.SaveChanges();
            }
            if (!await context.IdentityResources.AnyAsync())
            {
                // OpenID
                var openIdEntity = new Duende.IdentityServer.EntityFramework.Entities.IdentityResource
                {
                    Name = "openid",
                    DisplayName = "Your user identifier",
                    Required = true,
                    Emphasize = false,
                    ShowInDiscoveryDocument = true,
                    Enabled = true,
                    UserClaims = new List<IdentityResourceClaim>(),
                    Properties = new List<IdentityResourceProperty>()
                };
                openIdEntity.UserClaims.Add(new Duende.IdentityServer.EntityFramework.Entities.IdentityResourceClaim
                {
                    Type = "sub"
                });

                // Profile
                var profileEntity = new Duende.IdentityServer.EntityFramework.Entities.IdentityResource
                {
                    Name = "profile",
                    DisplayName = "User profile",
                    Description = "Your user profile information",
                    Required = false,
                    Emphasize = true,
                    ShowInDiscoveryDocument = true,
                    Enabled = true,
                    UserClaims = new List<IdentityResourceClaim>(),
                    Properties = new List<IdentityResourceProperty>()
                };
                profileEntity.UserClaims.Add(new Duende.IdentityServer.EntityFramework.Entities.IdentityResourceClaim
                {
                    Type = "name"
                });
                profileEntity.UserClaims.Add(new Duende.IdentityServer.EntityFramework.Entities.IdentityResourceClaim
                {
                    Type = "family_name"
                });
          
                context.IdentityResources.Add(openIdEntity);
                context.IdentityResources.Add(profileEntity);
                context.SaveChanges();
            }

            if (!context.ApiScopes.Any())
            {
                var scopeEntity = new Duende.IdentityServer.EntityFramework.Entities.ApiScope
                {
                    Name = "api1",
                    DisplayName = "My API",
                    Description = "API access",
                    Enabled = true,
                    ShowInDiscoveryDocument = true,
                    // Initialize collections
                    UserClaims = new List<ApiScopeClaim>(),
                    Properties = new List<ApiScopeProperty>()
                };

                context.ApiScopes.Add(scopeEntity);
                await context.SaveChangesAsync();
            }
            if (!context.ApiResources.Any())
            {
                context.ApiResources.Add(new Duende.IdentityServer.EntityFramework.Entities.ApiResource { Name = "api1" , DisplayName= "My API" });
                await context.SaveChangesAsync();
            }
        }

    }
}

ApplicationDbContext.cs

using Duende.IdentityServer.EntityFramework.Options;
using Microsoft.AspNetCore.ApiAuthorization.IdentityServer;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Options;
using P2P.Core.Entities.ERP;

namespace P2P.Infrastructure.ERP
{
    public class ApplicationDbContext : ApiAuthorizationDbContext<ApplicationUser>
    {
        public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options, IOptions<OperationalStoreOptions> operationalStoreOptions)
            : base(options, operationalStoreOptions)
        {
            
        }

        protected override void OnModelCreating(ModelBuilder builder)
        {
            base.OnModelCreating(builder);

        }
    }
}

Relevant calls for reproducibility:
POST (json): https://localhost:7261/Account/Register
{
"email": "[email protected]",
"password": "SecurePassword123!",
"confirmPassword": "SecurePassword123!"
}

POST(x-www-form-urlencoded): https://localhost:7261/connect/token
client_id:react
client_secret:secret
grant_type:password
username:[email protected]
password:SecurePassword123!
scope:openid profile api1

To Reproduce:

1. setup new project for webapi, code attached.
2. add ef migration and run it
3. run the project and register a user
4. generate login/token for the user

Expected behavior:
"https://localhost:7261/connect/token" call should respond with generated token if logic successful.

[wcabus]

Your statement "Latest Duende IdentityServer works with latest Microsoft.AspNetCore.ApiAuthorization.IdentityServer (v7), which have a bug dotnet/aspnetcore#57310" is not entirely correct.
Duende IdentityServer does not have a dependency on Microsoft.AspNetCore.ApiAuthorization.IdentityServer, it is the other way around: Microsoft provided a NuGet package to extend Duende IdentityServer, but most likely pulled the plug on maintaining the package when deciding to stop shipping IdentityServer in the .NET 8 SPA templates.

It also seems that you're trying to use IdentityServer 5.2.0 on .NET 9: this was never intended to be supported, and unfortunately, we stopped supporting IdentityServer v5 on December 13, 2022 already. Currently, we only support IdentityServer v7.

We strongly suggest updating IdentityServer to the latest version. Not only because of updates (including security fixes) we've done, but also to ensure that you're using a recent and supported version of ASP.NET Core.

If you still need Microsoft.AspNetCore.ApiAuthorization.IdentityServer, you may want to have a look at https://github.com/paviad/apiauthorization-identityserver (NuGet package).
Note: we didn't check this project, nor do we maintain it. This project is created by someone who was in a similar situation and decided to update Microsoft's project to work with IdentityServer v7.0.8. While it may work with the latest version of IdentityServer, we can't guarantee that it will.